Windows real time process creation monitor in python

Question

I'm trying to create a "real time" process creation monitor in Python and can't get it to work well.

I have tried to use WMI for that but it seems that short living processes are missed and never reported, i'm guessing that the WMI technic that i'm using in Python is "poll" based, this is what I have for now:

import wmi
c = wmi.WMI()
process_watcher = c.Win32_Process.watch_for("creation")
while True:
    new_process = process_watcher()
    print new_process.Caption

This works but as mentioned, not for short living processes, I have used WMI and PyMI which claims to be a faster implementation but I got the same results in both cases.

I have tested a C# implementation that I have found online that uses events and not polling:

var startWatch = new ManagementEventWatcher(new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace"));
startWatch.EventArrived += new EventArrivedEventHandler(startWatch_EventArrived);
startWatch.Start();

This works much better, is there a way to use the same in Python? I looked at the documentation on both WMI projects and could not make it to work the same.

Answer 1

Answer is here: http://timgolden.me.uk/python/wmi/wmi.html

c = wmi.WMI ()

raw_wql = "SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA 'Win32_Process'"
watcher = c.watch_for (raw_wql=raw_wql)
while 1:
  process_created = watcher()
  print(process_created.Name)

or

c = wmi.WMI ()

watcher = c.watch_for (
  notification_type="Creation",
  wmi_class="Win32_Process",
  delay_secs=2,
)

while 1:
  process_created = watcher()
  print(process_created.Name)
  print(process_created)